ebook img

The Garden-Hose Model PDF

0.41 MB·
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview The Garden-Hose Model

The Garden-Hose Game A New Model of Computation, and Application to Position-Based Quantum Cryptography Harry Buhrman(cid:63), Serge Fehr, Christian Schaffner(cid:63)(cid:63), and Florian Speelman(cid:63) Centrum Wiskunde & Informatica (CWI), The Netherlands 1 University of Amsterdam, The Netherlands 1 0 2 Abstract. Westudyposition-basedcryptographyinthequantumsetting.Weexamineaclass p of protocols that only require the communication of a single qubit and 2n bits of classical e S information. To this end, we define a new model of communication complexity, the garden- hose model, which enables us to prove upper bounds on the number of EPR pairs needed to 3 attack such schemes. This model furthermore opens up a way to link the security of quantum 1 position-based cryptography to traditional complexity theory. ] h p 1 Introduction - t n Background: Position-based (Quantum) Cryptography a u The goal of position-based cryptography is to use the geographical position of a party as its only q [ “credential”. For example, one would like to send a message to a party at a geographical position pos withtheguaranteethatthepartycandecryptthemessageonlyifheorsheisphysicallypresentatpos. 2 The general concept of position-based cryptography was introduced by Chandran, Goyal, Moriarty v 3 and Ostrovsky [CGMO09]. 6 A central task in position-based cryptography is the problem of position-verification. We have 5 a prover P at position pos, wishing to convince a set of verifiers V ,...,V (at different points in 0 k 2 geographical space) that P is indeed at that position pos. The prover can run an interactive protocol . 9 with the verifiers in order to convince them. The main technique for such a protocol is known as 0 distance bounding [BC94]. In this technique, a verifier sends a random nonce to P and measures the 1 timetakenforP toreplybackwiththisvalue.Assumingthatthespeedofcommunicationisbounded 1 by the speed of light, this technique gives an upper bound on the distance of P from the verifier. : v Theproblemofsecureposition-verificationhasbeenstudiedbeforeinthefieldofwirelesssecurity, i X andtherehavebeenseveralproposalsforthistask([BC94,SSW03,VN04,Bus04,CH05,SP05,ZLFW06,CCS06]). However,[CGMO09]showsthatthereexistsnoprotocolforsecureposition-verificationthatoffersse- r a curity in the presence of multiple colluding adversaries. In other words, the set of verifiers cannot distinguish between the case when they are interacting with an honest prover at pos and the case when they are interacting with multiple colluding dishonest provers, none of which is at position pos. Theimpossibilityresultof[CGMO09]reliesheavilyonthefactthatanadversarycanlocallystore all information he receives and at the same time share this information with other colluding adver- saries,locatedelsewhere.Duetotheno-cloningtheorem,suchastrategywillnotworkinthequantum setting,whichopensthedoortosecureprotocolsthatusequantuminformation.Thequantummodel was first studied by Kent et al. under the name of “quantum tagging” [KMSB06,KMS11]. Several (cid:63) Supported by a NWO VICI grant and the EU 7th framework grant QCS. (cid:63)(cid:63) Supported by a NWO VENI grant. schemes were developed [KMS11,Mal10a,CFG+10,Mal10b,LL11] and proven later to be insecure. Fi- nallyin[BCF+11]itwasshownthatingeneralnounconditionallysecurequantumposition-verification schemeispossible.AnyschemecanbebrokenusingadoubleexponentialamountofEPRpairsinthe sizeofthemessagesoftheprotocol.Later,BeigiandK¨onigimprovedin[BK11]thedoubleexponential dependence to single exponential making use of port-based teleportation [IH08,IH09]. Due to the exponential overhead in EPR pairs, the general no-go theorem does not rule out the existence of quantum schemes that are secure for all practical purposes. Such schemes should have the property that the protocol, when followed honestly, is feasible, but cheating the protocol requires unrealistic amounts of resources, for example EPR pairs or time. Analyzing the Beigi-K¨onig Scheme Tothisend,BeigiandK¨onig[BK11]proposedaposition-verificationschemeusingmutuallyunbiased bases. They showed that if the colluding parties are not allowed to send quantum, but only classical information to each other, then a linear amount of entanglement is necessary to break the scheme. They left open whether more entanglement was needed. As a first contribution, we close this gap and show that a linear number of EPR pairs is also sufficient to break the scheme. An Interesting Class of Schemes Furthermore,weconsideraclassofschemesthatonlyinvolveasinglequbit,and2nclassicalbits.Such schemes were first considered by Kent et al. [KMS11]. We focus on the one-dimensional set-up. The schemes easily generalize to three-dimensional space. The prover wants to convince the two verifiers, V and V , that he is at position pos on the line in between them. V sends a qubit |φ(cid:105) prepared in a 0 1 0 random basis to P. In addition, V sends a string x∈{0,1}n and V a y ∈{0,1}n to P. All messages 0 1 are timed such that they arrive at the same time at P’s claimed position. After receiving |φ(cid:105),x and y, P computes a predetermined Boolean function f(x,y).1 He sends |φ(cid:105) to V if f(x,y) = 0 and to 0 V otherwise. V and V check that they receive the correct qubit in time corresponding to pos and 1 0 1 measure the received qubit in the basis corresponding to which it was prepared. In order to cheat the scheme, we imagine two provers P and P on either side of the claimed position pos, who try to 0 1 simulate the correct behavior of an honest P at pos. The attack described in [KMS11] and the general no-go theorems from [BCF+11,BK11] imply that there is a strategy for P and P such that they can accomplish the following. P receives |φ(cid:105),x 0 1 0 and P receives y. They are allowed to simultaneously send a single message to each other such 1 that upon receiving that message they both know f(x,y) and if f(x,y) = 0 then P still has |φ(cid:105), 0 otherwise P has it in his possession. This teleportation-based cheating strategy however requires 1 an exponential amount of EPR pairs (in n). We show in this paper that the number of EPR pairs required for such a protocol can be upper-bounded by a complexity measure that is related to the non-uniform space complexity of computing f. This complexity can sometimes be much smaller. For example, it follows that if f(x,y) can be computed in logspace, then there is a cheating strategy that only requires a polynomial amount of entanglement. Our proof is inspired by permutation branching programs introduced by Barrington [Bar89] and a general technique to make log-space computations reversible [LMT97]. The motivation for considering this particular protocol for position-verification is the hope that for “complicated enough” functions f(x,y), the amount of entanglement needed to successfully break the security of the protocol grows (at least) linearly in the bit length n of the classical strings x,y. 1 We assume for simplicity that computation does not take any time. 2 If this intuition is true, it is a very interesting property of the protocol that we obtain a favorable relation between quantum and classical difficulty of operations in the following sense: if we increase thelengthoftheclassicalinputsx,y,werequiremoreclassical computingpowerofthehonestprover, whereas more quantum resources (in form of entangled states) are required by the adversary to break the protocol. Thus, the more classical resources the honest users use to faithfully execute the scheme, the more quantum resources the adversary needs in order to break it. To the best of our knowledge, such a trade-off has never been observed for a quantum-cryptographic protocol. Wegivesomefirstindicationsthattheabovemayindeedbetrue.Weshowthatiff isinjectivein x (meaning that ∀x(cid:54)=x(cid:48)∃y :f(x,y)(cid:54)=f(x(cid:48),y)) or in y (defined accordingly), then for any attack that succeedswithcertainty,thetwodishonestproversrequireajointquantumworkingspaceconsistingof atleastalogarithmicamountofqubitsinn.Also,weshowthatiftheentangledstartingstateforthe dishonestproversisfixed,e.g.alistofEPRpairs,thenthereexistsafunctionf forwhichthestarting state must consist of at least linearly many qubits in n to allow for a perfect attack. Restricting to perfect attacks makes the claims rather weak from a cryptographic point of view; we hope that this can be improved in future work. The Garden-Hose Complexity In order to isolate the properties of attacks on these one-qubit schemes, we define a new model of communication complexity which we call the garden-hose model. Alice and Bob as usual have to compute a Boolean function f(x,y). In order to do so they possess a number of water pipes that lay between them. Moreover, they each have additional pieces of hose that they can use to connect up the ends of the water pipes that are at their side. For example, Alice may choose to connect pipe 17 with 19 and pipe 28 with 687 etc. Bob connects up the ends of the pipes on his side. For each input they can use a different connection scheme. In order to compute the function, Alice in addition has a source of water that she connects to one of the the pipes on her side. She now opens the water tap. It is easy to see that the water will flow out on one side only. If this is Alice’s then they proclaim the function value to be 0 otherwise the function value is 1. We define the garden-hose complexity of f to be the minimum number of pipes needed to compute f. The garden-hose model links the number of EPR pairs sufficient to attack a quantum position- verificationschemetotraditionalcomplexitytheory:thenumberofEPRpairsneededforasuccessful attackisupperboundedbythegarden-hosecomplexityoff.Unfortunately,sofaritisunclearwhether thegarden-hosecomplexitybyanymeansgivesalowerboundonthenumberofEPRpairsneeded.Ifit does,thenthisgivesanicehandleonprovingsecurityofsuchschemesbasedoncomplexity-theoretical assumptions. In order to have a practical scheme, we will need a function f in the complexity class P that has “large” garden-hose complexity. The existence of a function in P with super-polynomial garden-hosecomplexitywillseparatethecomplexityclassPfromLOGSPACE,whichisalongstanding open problem. Beyonditsconnectiontoposition-basedquantumcryptography,wefeelthatthegarden-hosecom- plexity is interesting in its own right, and trying to understand its connections to other complexity measuresappearslikeachallenginggoal.Inthispaperwegivesomefirstanswers,butmanyquestions regarding the garden-hose complexity require further research. Summary In summary, the main results of this paper are the following: – Weshowthataquantumposition-verificationprotocolbyBeigiandK¨onig[BK11]canbeattacked withalinearamountofEPRpairs,establishingthattheirlowerboundisoptimaluptoaconstant factor. 3 – We study an interesting class of position-verification schemes that may have the following prop- erty: the more classical resources the honest users use to faithfully execute the scheme, the more quantum resources the adversary needs in order to break it. We give some first results towards proving this desirable property. – Weintroduceanewmodelofcommunicationcomplexity,calledthegarden-hosemodel.Themodel isanabstractionofcertaintypesofattacksagainsttheaboveclassofposition-verificationschemes. As such, tools from classical communication complexity can be used to obtain upper bounds on the number of EPR pairs needed to break a given scheme. – We prove almost-linear lower bounds in the garden-hose model for concrete functions like inner product, majority, and equality. We show that random functions have exponential garden-hose complexity. – We establish that all functions computable in log space have polynomial garden-hose complexity. As a corollary, we obtain the following interesting connection between proving the security of quantum protocols and classical complexity theory: If there is an f in P such that there is no attack on our scheme using a polynomial number of EPR pairs, then P(cid:54)=LOGSPACE. – Our approach may lead to practical secure quantum position-verification schemes whose security is based on classical complexity-theoretical assumptions such as P is different from LOGSPACE. 2 Preliminaries We assume that the reader is familiar with basic concepts of quantum information theory. We refer to [NC00] for an introduction and merely fix some notation here. 2.1 Quantum Teleportation An important example of a 2-qubit state is the EPR pair, which is given by |Φ(cid:105) = (|0(cid:105) |0(cid:105) + √ AB A B |1(cid:105) |1(cid:105) )/ 2∈H ⊗H =C2⊗C2 and has the following properties: if qubit A is measured in the A B A B computational basis, then a uniformly random bit x∈{0,1} is observed and qubit B collapses to |x(cid:105). Similarly, if qubit A is measured in the Hadamard basis, then a uniformly random bit x ∈ {0,1} is observed and qubit B collapses to H|x(cid:105). The goal of quantum teleportation is to transfer a quantum state from one location to another by only communicating classical information. Teleportation requires pre-shared entanglement among the two locations. To teleport a qubit Q in an arbitrary unknown state |ψ(cid:105) from Alice to Bob, Alice Q performs a Bell-measurement on Q and her half of an EPR pair, yielding a classical measurement outcome k ∈{0,1,2,3}. Instantaneously, the other half of the corresponding EPR pair, which is held byBob,turnsintothestateσ |ψ(cid:105),whereσ ,σ ,σ ,σ denotethefourPauli-corrections{I,X,Z,XZ}, k 0 1 2 3 respectively. The classical information k is then communicated to Bob who can recover the state |ψ(cid:105) by performing σ on his EPR half. k 3 On the (In)Security of a Proposed Protocol For Position Verification 3.1 Mutually Unbiased Bases We use the following standard definition of mutually unbiased bases. Definition 3.1. Two orthonormal bases {|ea(cid:105)} and {|eb(cid:105)} of Cd are called mutually i i=1,...,d j j=1,...,d unbiased, if |(cid:104)ea|eb(cid:105)|2 = 1 holds for all i,j ∈{1,...,d}. i j d 4 A Pauli operator on an n-qubit state is the tensor product of n one-qubit Pauli matrices. Hence, there are 4n Pauli operators in total. For i∈{0,1,2,3}n, we can write the Pauli operator O as i n (cid:89) O =σ1σ2 ...σn = σk i i1 i2 in ik k=1 where σk is the j-th Pauli matrix acting on qubit k (tensored with the identity on the other qubits). j Excludingtheidentity,thereare4n−1Paulioperators.Thesecanbepartitionedin2n+1distinct subsets consisting of 2n−1 commuting operators each [LBZ02]. The 2n common eigenvectors of such a set of 2n−1 commuting operators define an orthonormal basis. It can be shown that for any such partitioning, the resulting 2n +1 bases are pairwise mutually unbiased [LBZ02]. We denote by |ea(cid:105) x the x-th basis vector of the a-th mutually unbiased basis of this construction, where x∈{0,1}n and a∈A for a set A of 2n+1 elements. In the following, we will exploit a special property of this construction of mutually unbiased bases in order to attack a protocol for position-verification recently proposed by Beigi and K¨onig [BK11]. In particular, we use the fact that applying a Pauli operator only permutes the basis vectors within every mutually unbiased basis, but does not map any basis vector into another basis. This property is captured by the following lemma. Lemma 3.2. Let U be an arbitrary Pauli operator on n qubits. For arbitrary a∈A and x∈{0,1}n, let |ea(cid:105) be the x-th basis vector of the a-th mutually unbiased basis obtained from the construction x above. Then, there exists z ∈{0,1}n such that U|ea(cid:105)=|ea(cid:105). x z Proof. We can write U as n (cid:89) U =σ1 σ2 ...σn = σk . r1 r2 rn rk k=1 Assume |ea(cid:105) is a common eigenvector of an internally commuting subset A of the Pauli operators, x like described earlier. Denote the 2n −1 elements of A by OA with (cid:96) ∈ {1,...,2n −1}. Note that (cid:96) σ0σi = σiσ0 for i ∈ {0,1,2,3} and σiσj = (−1)δijσjσi for i,j ∈ {1,2,3} and δij the Kronecker δ- function.Because|ea(cid:105)isacommoneigenvectorofthePaulioperatorsinthisset,itholdsforall(cid:96)that x OA|ea(cid:105)=λ |ea(cid:105)forsomeeigenvalueλ .Toprovetheclaim,weshowthatU|ea(cid:105)isalsoaneigenvector (cid:96) x (cid:96) x (cid:96) x of all OA, with some (possibly different) eigenvalue λ(cid:48). (cid:96) (cid:96) n (cid:89) OAU|ea(cid:105)= σk σk |ea(cid:105) (cid:96) x (cid:96)k rk x k=1 n (cid:89) =(−1)α(r,(cid:96)) σk σk |ea(cid:105) rk (cid:96)k x k=1 =(−1)α(r,(cid:96))UOA|ea(cid:105) (cid:96) x =λ(cid:48)U|ea(cid:105), (cid:96) x where we define λ(cid:48) := (−1)α(r,(cid:96))λ and the function α(r,(cid:96)) determines the phase arising from the (cid:96) (cid:96) commutation relations of the σ ’s and σ ’s. Because U|ea(cid:105) is a common eigenvector of all OA, there exists z ∈{0,1}n such that |ea(cid:105)rk=U|ea(cid:105).(cid:96)k x (cid:96) (cid:116)(cid:117) z x 5 3.2 The Protocol TheprotocoldescribedinFigure1usesan(almost)completesetofmutuallyunbiasedbases{|eax(cid:105)x=1,...,2n}a∈{0,1}n as defined above. The protocol can be seen as a higher-dimensional extension of the basic BB84- protocols proposed and analyzed in [KMS11,BCF+11]. In [BK11], Beigi and K¨onig show that PV MUB is secure against adversaries that share fewer than n/2 EPR pairs and are restricted to one round of simultaneous classical communication. They leave open whether the protocol remains secure against colluding adversaries that share more entanglement. We answer this question here. In the rest of the section, we show that for the construction of MUBs mentioned above, it is sufficient for adversaries to share n EPR pairs in order to perfectly break the protocol PV . It follows that the lower bound MUB on the number of EPR pairs given in [BK11] is optimal up to constant factors. 0. V and V share common (secret) randomness in the form of uniformly distributed bitstrings a,x∈ 0 1 {0,1}n. 1. V sends a to P and V prepares the state |ea(cid:105) and sends it to P. The timing is chosen such that 0 1 x both the classical information and the quantum state arrive at the prover at the same time. 2. P measures the state in the basis {|ea(cid:105)} , getting measurement outcome xˆ∈{0,1}n. He sends xˆ to i i both V and V . 0 1 3. V andV acceptiftheyreceivexˆattimesconsistentwithxˆbeingemittedfromtheclaimedposition 0 1 in both directions simultaneously, and xˆ=x. Fig.1. Protocol PV from [BK11] for position-verification using mutually unbiased bases. MUB 3.3 The Attack TheattackreportedhereisverysimilartotheattackontheBB84-schemedescribedin[KMS11].The colluding adversaries P˜ en P˜ set up between the prover’s claimed position and the verifiers V and 0 1 0 V , intercepting messages from V and V . 1 0 1 Adversary P˜ has knowledge of the basis a and P˜ gets the state |ea(cid:105). Our attack shows that 0 1 x usingnebitsandoneroundofsimultaneousclassicalcommunicationsufficestodeterminex,andthus breaking protocol PV . We assume that the set of mutually unbiased bases used is equivalent to a MUB basis obtained by a partitioning of Pauli operators as described above. To the best of our knowledge, any currently known construction of mutually unbiased basis sets of dimension 2n is of this form. If the used set of mutually unbiased bases differs from one of these by a unitary transform, the attack still works by the adversaries just applying this unitary before the first step. As soon as P˜ receives the state |ea(cid:105), she teleports it to P˜ and forwards the classical outcome 1 x 0 of the teleportation measurement indicating the needed Pauli correction U. Using Lemma 3.2, the teleported state is still a basis vector of the same mutually unbiased basis, i.e. the state P˜ has before 0 correction is |ea(cid:105), with z depending on the teleportation measurement outcome. P˜ measures |ea(cid:105) in z 0 z basis a, getting outcome z which she sends to P˜ . 1 Now both adversaries hold a, z and the teleportation Pauli correction U. It is straightforward to (classically) derive the correct x, it is the measurement outcome in basis a of the state |ea(cid:105) = U|ea(cid:105) x z after applying the Pauli correction U. 6 4 The Garden-Hose Game 4.1 Motivation The results of this section are motivated by the study of a particular quantum protocol for secure positionverification,describedinFigure2.TheprotocolisofthegenericformdescribedinSection3.2 of [BCF+11]. In Step 0, the verifiers prepare challenges for the prover. In Step 1, they send the challenges, timed in such a way that they all arrive at the same time at the prover. In Step 2, the prover computes his answers and sends them back to the verifiers. Finally, in Step 3, the verifiers verify the timing and correctness of the answer. As in [BCF+11], we consider here for simplicity the case where all players live in one dimension, the basic ideas generalize to higher dimensions. In one dimension, we can focus on the case of two verifiers V ,V and an honest prover P in between them. 0 1 We minimize the amount of quantum communication in that only one verifier, say V , sends a 0 qubit to the prover, whereas both verifiers send classical n-bit strings x,y ∈ {0,1}n that arrive at the same time at the prover. We fix a publicly known boolean function f :{0,1}n×{0,1}n →{0,1} whose output f(x,y) decides whether the prover has to return the qubit (unchanged) to verifier V 0 (in case f(x,y)=0) or to verifier V (if f(x,y)=1). 1 0. V randomlychoosestwon-bitstringsx,y∈{0,1}n andprivatelysendsytoV .V preparesanEPR 0 √ 1 0 pair (|0(cid:105) |0(cid:105) +|1(cid:105) |1(cid:105) )/ 2. If f(x,y)=0, V keeps the qubit in register V. Otherwise, V sends V P V P 0 0 the qubit in register V privately to V . 1 1. V sends the qubit in register P to the prover P together with the classical n-bit string x. V sends 0 1 y so that it arrives at the same time as the information from V at P. 0 2. P evaluates f(x,y)∈{0,1} and routes the qubit to V . f(x,y) 3. V and V accept if the qubit arrives in time at the right verifier and the Bell measurement of the 0 1 received qubit together with the qubit in V yields the correct outcome. Fig.2.Position-verification scheme PV using one qubit and classical n-bit strings. qubit The motivation for considering this protocol is the following: As the protocol uses only one qubit which needs to be correctly routed, the honest prover’s quantum actions are trivial to perform. His main task is evaluating a classical boolean function f on classical inputs x and y whose bit size n can be easily scaled up. On the other hand, our results in this section suggest that the adversary’s job of succesfully attacking the protocol becomes harder and harder for larger input strings x,y. The hope is that for “complicated enough” functions f(x,y), the amount of EPR pairs (ebits) needed to successfully break the security of the protocol PV grows (at least) linearly in the bit length n of qubit the classical strings x,y. If this intuition can be proven to be true, it is a very interesting property of the protocol that we obtain a favorable relation between quantum and classical difficulty of operations in the following sense: if we increase the length of the classical inputs x,y, we require more classical computing power of the honest prover, whereas more quantum resources (ebits) are required by the adversary to break the protocol. To the best of our knowledge, such a trade-off has never been observed for a quantum- cryptographic protocol. In order to analyze the security of the protocol PV , we define the following communication qubit gameinwhichAliceandBobplaytherolesoftheadversarialattackersofPV .Alicestartswithan qubit unknown qubit |φ(cid:105) and a classical n-bit string x while Bob holds the n-bit string y. They also share 7 somequantumstate|η(cid:105) andbothplayersknowtheBooleanfunctionf :{0,1}n×{0,1}n →{0,1}. AB The players are allowed one round of simultaneous classical communication combined with arbitrary local quantum operations. When f(x,y)=0, Alice should be in possession of the state |φ(cid:105) at the end of the protocol and on f(x,y)=1, Bob should hold it. As a simple example consider the case where f(x,y) = x⊕y, the exclusive OR function, with 1-bit inputs x and y. Alice and Bob then have the following way of performing this task perfectly by using a pre-shared quantum state consisting of three EPR pairs (three ebits). Label the first two EPR pairs 0 and 1. Alice teleports |φ(cid:105) to Bob using the pair labeled with her input x. This yields measurement result i ∈ {0,1,2,3}, while Bob teleports his half of the EPR pair labeled y to Alice using his half of the third EPR pair while obtaining measurement outcome j ∈ {0,1,2,3} . In the round of simultaneous communication, both players send the classical measurement results and their inputs x or y to the other player. If x⊕y = 1, i.e. x and y are different bits, Bob can apply the Pauli operator σ to his half of the EPR pair labeled x=y⊕1, correctly recovering |φ(cid:105). Similarly, if i x⊕y =0,it iseasy tocheckthatAlice canrecoverthe qubit by applying σ σ toher halfof thethird i j EPR pair. If Alice and Bob are constrained to the types of actions in the example above, i.e., if they are restricted to teleporting the quantum state back and forth depending on their classical inputs, we obtain the following notion of garden-hose game and garden-hose complexity. 4.2 Definition of the Garden-Hose Game AliceandBobgetn-bitinputstringsxandy,respectively.Theirgoalisto“compute”anagreed-upon Boolean function f :{0,1}n×{0,1}n →{0,1} on these inputs, in the following way. We assume that AliceandBobhavespipesbetweenthem.Dependingontheirrespectiveclassicalinputsxandy,they connect their ends of the pipes with pieces of hose, of which they have an unlimited amount. Note however, that we do not allow “T-pieces” (or more complicated constructions) of hose which connect two or more pipes to one, or vice versa; only one-to-one connections are allowed. Alice has a source of waterwhichsheconnectstooneofthepipes,andthensheturnsonthewater.Itiseasytocheckthat no “deadlocks” are possible and hence the water will flow out on either of the sides. They succeed in computing f (we may also say: they win the garden-hose game), if the water comes out of one of the pipes on Alice’s side whenever f(x,y)=0, and the water comes out of one of the pipes on Bob’s side whenever f(x,y)=1. Note that it does not matter out of which pipe the water flows, only on which side it flows. We stress once more that what makes the game non-trivial is that Alice and Bob must do their “plumbing” based on their local input only, and they are not allowed to communicate. We refer to Figure 3 for an illustration of computing the XOR function in the garden-hose model. We can translate any strategy of Alice and Bob in the garden-hose game to a perfect quantum attackofPV byusingoneEPRpairperpipeandperformingBellmeasurementswheretheplayers qubit connect the pipes. Our hope is that also the converse is true in spirit: if many pipes are required to compute f, say we need superpolynomially many, then the number of EPR pairs needed for Alice and Bob to successfully break PV with probability close to 1 by means of an arbitrary attack (not qubit restricted to Bell measurements on EPR pairs) should also be superpolynomial. We leave this as an interesting problem for future research. We stress that for this application, a polynomial lower bound on the number of pipes, and thus on the number of EPR pairs, is already interesting. We formalize the above description of the garden-hose game, given in terms of pipes and hoses etc., by means of rigorous graph-theoretic terminology. However, we feel that the above terminology captures the notion of a garden-hose game very well, and thus we sometimes use the above “watery” terminology. We start with a balanced bi-partite graph (A∪B,E) which is 1-regular and where the cardinality of A and B is |A|=|B|=s, for an arbitrary large s∈N. We slightly abuse notation and 8 Alice Bob x=0 x=1 XOR y =0 y =1 Source 0 1 Fig.3. Garden-hose game for the XOR function. denote both the vertices in A and in B by the integers 1,...,s. If we need to distinguish i∈A from i∈B,weusethenotationiA andiB.WemayassumethatE consistsoftheedgesthatconnecti∈A with i∈B for every i∈{1,...,s}, i.e., E =(cid:8)(cid:8)iA,iB(cid:9): 1≤i≤s(cid:9). These edges in E are the pipes in theaboveterminology.Wenowextendthegraphto(A ∪B,E)byaddingavertex0toA,resultingin ◦ A =A∪{0}. This vertex corresponds to the water tap, which Alice can connect to one of the pipes. ◦ Given a Boolean function f : {0,1}n ×{0,1}n → {0,1}, consider two functions E and E ; both take as input a string in {0,1}n and output a set of edges (without self loops). For aAn◦y x,y ∈B{0,1}n, E (x) is a set of edges on the vertices A and E (x) is a set of edges on the vertices B, so that the A◦ ◦ B resulting graphs (A ,E (x)) and (B,E (y)) have maximum degree at most 1. E (x) consists of ◦ A◦ B A◦ the connections among the pipes (and the tap) on Alice’s side (on input x), and correspondingly for E (y). For any x,y ∈{0,1}n, we define the graph G(x,y)=(A ∪B,E∪E (x)∪E (y)) by adding B ◦ A◦ B the edges E (x) and E (y) to E. G(x,y) consists of the pipes with the connections added by Alice A◦ B and Bob. Note that the vertex 0 ∈ A has degree at most 1, and the graph G(x,y) has maximum ◦ degree at most two 2; it follows that the maximal path π(x,y) that starts at the vertex 0 ∈ A is ◦ uniquely determined. π(x,y) represents the flow of the water, and the endpoint of π(x,y) determines whether the water comes out on Alice or on Bob’s side (depending on whether it is in A or in B). ◦ Definition 4.1. Agarden-hose gameisgivenbyagraphfunctionG:(x,y)(cid:55)→G(x,y)asdescribed above. The number of pipes s is called the size of G, and is denoted as s(G). A garden-hose game G is said to compute a Boolean function f : {0,1}n×{0,1}n →{0,1} if the endpoint of the maximal path π(x,y) starting at 0 is in A whenever f(x,y)=0 and in B whenever f(x,y)=1. ◦ Definition 4.2. The (deterministic) garden-hose complexity of a Boolean function f :{0,1}n× {0,1}n → {0,1} is the size s(G) of the smallest garden-hose game G that computes f. We denote it by GH(f). WestartwithasimpleupperboundonGH(f)whichisimplicitlyprovenintheattackonScheme II in [KMS11]. Proposition 4.3. For every Boolean function f : {0,1}n ×{0,1}n → {0,1}, the garden-hose com- plexity is at most GH(f)≤2n+1. 9 Proof. We identify {0,1}n with {1,...,2n} in the natural way. For s = 2n + 1 and the resulting bipartite graph (A ∪B,E), we can define E and E as follows. E (x) is set to {(0,x)}, meaning ◦ A◦ B A◦ that Alice connects the tap with the pipe labeled by her input x. To define E , group the set Z(y)= B {a∈{0,1}n : f(a,y)=0} arbitrarily into disjoint pairs {a ,a }∪{a ,a }∪...∪{a ,a } and set 1 2 3 4 (cid:96)−1 (cid:96) E (y)={{a ,a },{a ,a },...,{a ,a }}. If (cid:96)=|Z(y)| is odd so that the decomposition into pairs B 1 2 3 4 (cid:96)−1 (cid:96) results in a left-over {a }, then a is connected with the “reserve” pipe labeled by 2n+1. (cid:96) (cid:96) By construction, if x ∈ Z(y) then x = a for some i, and thus pipe x = a is connected on Bob’s i i side with pipe a or a , depending on the parity of i, or with the “reserve” pipe, and thus π(x,y) i−1 i+1 is of the form π(x,y)=(0,xA,xB,vB,vA), ending in A . On the other hand, if x(cid:54)∈Z(y), then pipe x ◦ isnotconnectedonBob’sside,andthusπ(x,y)=(0,xA,xB),endinginB.Thisprovestheclaim. (cid:116)(cid:117) We notice that the same proof shows that the garden-hose complexity GH(f) is at most 2k+1, when k is the the one-way communication complexity from Alice to Bob of f.2 We introduce the following terminology. We say that a function f : {0,1}n ×{0,1}n → {0,1} is obtained from a function g : {0,1}m ×{0,1}m → {0,1} by local pre-processing if f is of the form f(x,y)=g(α(x),β(y)),whereαandβ arearbitraryfunctions{0,1}n →{0,1}m.Thefollowinginvari- anceunderlocalpreprocessingfollowsimmediatelyfromthedefinitionofthegarden-hosecomplexity. Lemma 4.4. If f is obtained from g by local pre-processing, then GH(f)≤GH(g). 4.3 Garden-Hose Complexity and Log-Space Computations The following theorem shows that for a large class of functions, a polynomial amount of pipes suffices to win the garden-hose game. A function f with an n-bit input is log-space computable if there is a deterministicTuringmachineM andaconstantc,suchthatM outputsthecorrectvalueoff,andat most c·logn locations3 of M’s work tapes are ever visited by M’s head during computation of every input of length n. Theorem 4.5. If f :{0,1}n×{0,1}n →{0,1} is log-space computable, then GH(f) is polynomial in n. In combination with Lemma 4.4, it follows immediately that the same conclusion also holds for functions that are log-space computable up to local pre-processing, i.e., for any function f : {0,1}n× {0,1}n →{0,1} that is obtained from a log-space computable function g :{0,1}m×{0,1}m →{0,1} bylocalpre-processing,wheremispolynomialinn.Below,inProposition4.7,weshowthatlog-space up to local pre-processing is also necessary for a polynomial garden-hose complexity. We will later see (Proposition 4.11) that there exist functions with large garden-hose complexity. However, a negative implication of Theorem 4.5 is that proving the existence of a polynomial-time computable function f with exponential garden-hose complexity is at least as hard as separating L from P, a long-standing open problem in complexity theory. Corollary 4.6. If there exists a function f :{0,1}n×{0,1}n →{0,1} in P that has superpolynomial garden-hose complexity, then P (cid:54)= L. Proof (of Theorem 4.5). Let M be a deterministic Turing machine deciding f(x,y) = 0. We assume that M’s read-only input tape is of length 2n and contains x on positions 1 to n and y on positions n+1 to 2n. By assumption M uses logarithmic space on its work tapes. 2 Orifneeded,withasmalladjustmentintheprotocol,2k+2withktheone-waycommunicationcomplexity of Bob to Alice. 3 All logarithms in this paper are with respect to base 2. 10

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.